The maintenance work for kopia/restic backup repositories is run in jobs
Since velero started using kopia as the approach for filesystem-level backup/restore, we've noticed an issue when velero connects to the kopia backup repositories and performs maintenance, it sometimes consumes excessive memory that can cause the velero pod to get OOM Killed. To mitigate this issue, the maintenance work will be moved out of velero pod to a separate kubernetes job, and the user will be able to specify the resource request in "velero install".
Volume Policies are extended to support more actions to handle volumes
In an earlier release, a flexible volume policy was introduced to skip certain volumes from a backup. In v1.14 we've made enhancement to this policy to allow the user to set how the volumes should be backed up. The user will be able to set "fs-backup" or "snapshot" as value of “action" in the policy and velero will backup the volumes accordingly. This enhancement allows the user to achieve a fine-grained control like "opt-in/out" without having to update the target workload. For more details please refer to https://velero.io/docs/v1.14/resource-filtering/#supported-volumepolicy-actions
Node Selection for Data Movement Backup
In velero the data movement flow relies on datamover pods, and these pods may take substantial resources and keep running for a long time. In v1.14, the user will be able to create a configmap to define the eligible nodes on which the datamover pods are launched. For more details refer to https://velero.io/docs/v1.14/data-movement-backup-node-selection/
VolumeInfo metadata for restored volumes
In v1.13, we introduced volumeinfo metadata for backup to help velero CLI and downstream adopter understand how velero handles each volume during backup. In v1.14, similar metadata will be persisted for each restore. velero CLI is also updated to bring more info in the output of "velero restore describe".
"Finalizing" phase is introduced to restores
The "Finalizing" phase is added to the state transition flow to restore, which helps us fix several issues: The labels added to PVs will be restored after the data in the PV is restored via volumesnapshotter. The post restore hook will be executed after datamovement is finished.
Certificate-based authentication support for Azure
Besides the service principal with secret(password)-based authentication, Velero introduces the new support for service principal with certificate-based authentication in v1.14.0. This approach enables you to adopt a phishing resistant authentication by using conditional access policies, which better protects Azure resources and is the recommended way by Azure.
Runtime and dependencies
Golang runtime: v1.22.2
kopia: v0.17.0
Limitations/Known issues
For the external BackupItemAction plugins that take snapshots for PVs, such as vsphere plugin. If the plugin checks the value of the field "snapshotVolumes" in the backup spec as a criteria for snapshot, the settings in the volume policy will not take effect. For example, if the "snapshotVolumes" is set to False in the backup spec, but a volume meets the condition in the volume policy for "snapshot" action, because the plugin will not check the settings in the volume policy, the plugin will not take snapshot for the volume. For more details please refer to #7818
Breaking changes
CSI plugin has been merged into velero repo in v1.14 release. It will be installed by default as an internal plugin, and should not be installed via "–plugins " parameter in "velero install" command.
The default resource requests and limitations for node agent are removed in v1.14, to make the node agent pods have the QoS class of "BestEffort", more details please refer to #7391
There's a change in namespace filtering behavior during backup: In v1.14, when the includedNamespaces/excludedNamespaces fields are not set and the labelSelector/OrLabelSelectors are set in the backup spec, the backup will only include the namespaces which contain the resources that match the label selectors, while in previous releases all namespaces will be included in the backup with such settings. More details refer to #7105
Patching the PV in the "Finalizing" state may cause the restore to be in "PartiallyFailed" state when the PV is blocked in "Pending" state, while in the previous release the restore may end up being in "Complete" state. For more details refer to #7866
All Changes
Fix backup log to show error string, not index (#7805, @piny940)
Linux amd64 (checksum / 2694b91c3e501cff57caf650e639604a274645f61af2ea4d601677b746b44fe2)
Linux arm (checksum / 2b28fda1d8c6f087011bc7ec820051a13409dadce8385529f306476632e24e85)
Linux arm64 (checksum / adcf07b08484b52508e5cbc8b5f4b0b0db50342f7bc487ecd88b8948b680e6a7)
Linux i386 (checksum / 8e0bb5a08c7c227a8e285026b6283726ddc0e1f406e2af4d4d600fa1dd85c21e)
Linux ppc64le (checksum / 9d95528fb797f6429f7f9b6dee0cf87bf8c71f6470e1db4a51e844c169c285a3)
Linux s390x (checksum / 5b42bc3d08fd0ffaf4f9ed810f28464f52ec4ea431b809c7179071d76f3d6f16)
Linux riscv64 (checksum / 2998bae9971a55f862c21bff337c325cb6a44f28ef76e11bffc93d16989e11e6)
Windows amd64 (checksum / cbf40b79fa2a7dbd6e24201f8660b56261d10d6e7b5cadc3ff78100fb45b3c69)
This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @mattfarinakeybase account. Please use the attached signatures for verifying this release using gpg.
The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.
What's Next
3.15.3 will contain only bug fixes and be released on July 10, 2024.
3.16.0 is the next feature release and will be on September 11, 2024.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the security group with 12 updates:
1.8.01.8.11.13.21.14.00.30.10.30.20.30.10.30.20.30.10.30.20.30.10.30.20.30.10.30.20.30.10.30.22.120.12.130.03.15.13.15.20.30.10.30.20.30.10.30.2Updates
github.com/spf13/cobrafrom 1.8.0 to 1.8.1Release notes
Sourced from github.com/spf13/cobra's releases.
... (truncated)
Commits
e94f6d0Address golangci-lint deprecation warnings, enable some more linters (#2152)8003b74Remove fully inactivated linters (#2148)5c2c1d6Consistent annotation names (#2140)5a1aceabuild(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.3 to 2.0.4 (#2127)0fc86c2docs: update user guide (#2128)6b5f577More linting (#2099)bd914e5fix: remove deprecated io/ioutils package (#2120)1f80fa2chore: remove repetitive words (#2122)c69ae4cci: test golang 1.22 (#2113)a30cee5build(deps): bump actions/cache from 3 to 4 (#2102)Updates
github.com/vmware-tanzu/velerofrom 1.13.2 to 1.14.0Release notes
Sourced from github.com/vmware-tanzu/velero's releases.
... (truncated)
Commits
2fc6300Merge pull request #7860 from blackpiglet/update_e2e_for_1_14200f16eMerge branch 'release-1.14' into update_e2e_for_1_140d36572Merge pull request #7876 from reasonerjt/update-release-note-1.1408fea6eMerge branch 'release-1.14' into update-release-note-1.14d20bd16Skip parallel files upload and download test for Restic case.bf778c7Merge pull request #7875 from reasonerjt/fix-restore-crash-1.14a650059Update release note of 1.14f61c8b9Add checks for csisnapshot for vol_info population2136679Merge pull request #7852 from reasonerjt/fix-7849-1.14f6367caUse PVC to track the CSI snapshot in restoreUpdates
k8s.io/apifrom 0.30.1 to 0.30.2Commits
118f81cUpdate dependencies to v0.30.2 tagUpdates
k8s.io/apiextensions-apiserverfrom 0.30.1 to 0.30.2Commits
2d2addcUpdate dependencies to v0.30.2 tag803669dMerge pull request #124676cici37/automated-cherry-pick-of-#1246755e9c693Adding the feature gates to fix cost for VAP and webhook matchConditions.Updates
k8s.io/apimachineryfrom 0.30.1 to 0.30.2Commits
Updates
k8s.io/apiserverfrom 0.30.1 to 0.30.2Commits
3b2ed79Update dependencies to v0.30.2 tag7a3db50Merge pull request #124676cici37/automated-cherry-pick-of-#124675a30c80fMerge pull request #124802seantywork/automated-cherry-pick-of-#1246621ce5268Updated & added visibility to apiserver x509 test certificates expiring this ...e025ab4Adding the feature gates to fix cost for VAP and webhook matchConditions.Updates
k8s.io/cli-runtimefrom 0.30.1 to 0.30.2Commits
a93d336Update dependencies to v0.30.2 tagUpdates
k8s.io/client-gofrom 0.30.1 to 0.30.2Commits
592d891Update dependencies to v0.30.2 tagUpdates
k8s.io/klog/v2from 2.120.1 to 2.130.0Release notes
Sourced from k8s.io/klog/v2's releases.
Commits
16c7d26Merge pull request #401 from pohly/ktesting-warning-delaycd24012ktesting: tone down warning about leaked test goroutine2ee202aMerge pull request #404 from 1978629634/fsync-freelock79575d8Do not acquire lock for file.Sync() fsync call7af45d6Merge pull request #406 from pohly/linterd008cfeexamples: fix linter warningab53041Merge pull request #402 from pohly/linter-issuesff7c070build: fix some linter warnings569bb3cMerge pull request #399 from jsoref/spelling-corporation200f43echore(*): fix spelling of Intel CorporationUpdates
helm.sh/helm/v3from 3.15.1 to 3.15.2Release notes
Sourced from helm.sh/helm/v3's releases.
Commits
1a500d5fix: wrong cli description70b225cfix typo in load_plugins.gob3640f1fix docs of DeployedAll46e2ba0Bump github.com/docker/dockerfb311d3bump oras minor version23552a7feat(load.go): add warning on requirements.lockUpdates
k8s.io/kubeletfrom 0.30.1 to 0.30.2Commits
27f7e47Update dependencies to v0.30.2 tagUpdates
k8s.io/metricsfrom 0.30.1 to 0.30.2Commits
c87f47aUpdate dependencies to v0.30.2 tagDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show